Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP!! I tried the "Am I infected" board and didn't get a response...


  • This topic is locked This topic is locked
34 replies to this topic

#1 gwhiz9999

gwhiz9999

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 19 February 2015 - 02:52 AM

I have a problem with my computer that is ongoing.  I posted a "new topic" on the "Am I infected" board quite some time ago, but never got a reply, so I am trying to find help on this forum.

 

I have an XP pc that was running fine until early February.  Since then, the pc is running very slowly.  Initially, the most noticeable issue was an extra "explorer.exe" process running in the high 90%s, and more recently, with strange processes popping up on the task manager list, such as "cmd.exe" and "notepad.exe" running at high rates, randomly, even though those programs aren't running.  When I kill those processes, I often get somewhat better, but rather temporary results, and they come back, variably.  "svchost.exe" and "explorer.exe" keep doing it, too.

 

Can someone help?  I need this pc to function properly, at least for the near future.


Edited by gwhiz9999, 19 February 2015 - 03:11 AM.


BC AdBot (Login to Remove)

 


m

#2 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:30 PM

Posted 19 February 2015 - 04:19 AM

Hello gwhiz9999 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.


  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called FRST.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Logs to include with next post:

AdwCleaner log
JRT.txt
FRST.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 19 February 2015 - 11:28 PM

Hi, Satchfan.  Thanks for the response.  There are a few things you might want to know before going through the logs you requested.

 

1.  The AdwCleaner download and scan went fine.

 

2.  When I tried to open/disable AVG, before running JRT.exe, it gave me an error message that said:

 

     "Windows cannot open this program because it has been prevented by a software restriction policy."

 

     There are 6 different AVG processes running in task manager, but it would not allow me to kill any of them.  Each time, it says:

 

     "The operation could not be completed.  Access is denied."

 

     The processes are:

 

     avgcsrvx.exe

     avgemcx.exe

     avgidsagent.exe

     avgnsx.exe

     avgrsx.exe

     avgwdsvc.exe

 

     I took AVG off the list of startup items in msconfig, but nothing seems to have changed.

 

     JRT doesn't seem to have found anything, but I will post the log anyway.

 

3.  When running FRST, it stopped responding.  I killed it and tried to run it again, but it did the same thing.  However, it apparently still produced the logs you wanted on the first try.  I didn't know if they would be correct/complete, which is why I tried to run it again.  The 2nd time, it produced no additional logs.

 

Anyway... like I said, I am not sure if they are complete, but here are the logs:

 

----------------------------------------------------------------------------------------------------

# AdwCleaner v4.111 - Logfile created 19/02/2015 at 18:48:09
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Owner - GPM2
# Running from : C:\Documents and Settings\Owner\Desktop\adwcleaner_4.111.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\FileViewPro
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage-journal
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
File Deleted : C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\Driver-Soft
Key Deleted : HKLM\SOFTWARE\Trymedia Systems
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\fileopenerpro

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Google Chrome v40.0.2214.111

[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2418376
[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=ie&tb=GAM1&o=15491&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=HE&apn_dtid=YYYYYYYYUS&apn_uid=7CAA42F0-DF5D-4A15-8471-203D2A9D3397&apn_sauid=81FAC039-A413-4AA4-BFAE-4CE91CBA9125
[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=ie&tb=GAM1&o=15491&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=HE&apn_dtid=YYYYYYYYUS&apn_uid=7CAA42F0-DF5D-4A15-8471-203D2A9D3397&apn_sauid=81FAC039-A413-4AA4-BFAE-4CE91CBA9125
[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [6058 bytes] - [11/11/2013 06:34:58]
AdwCleaner[R1].txt - [4020 bytes] - [19/02/2015 18:28:23]
AdwCleaner[S0].txt - [6217 bytes] - [11/11/2013 06:38:27]
AdwCleaner[S1].txt - [3989 bytes] - [19/02/2015 18:48:09]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4048  bytes] ##########

-------------------------------------------------------------------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Microsoft Windows XP x86
Ran by Owner on Thu 02/19/2015 at 19:48:41.81
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/19/2015 at 20:23:24.79
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-02-2015 01
Ran by Owner (administrator) on GPM2 on 19-02-2015 22:22:13
Running from C:\Documents and Settings\Owner\Desktop
Loaded Profiles: Owner (Available profiles: Owner & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2014\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgwdsvc.exe
() C:\WINDOWS\Runservice.exe
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaRegistry.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgemcx.exe
(Broadcom Corporation) C:\WINDOWS\BCMSMMSG.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BCMSMMSG] => C:\WINDOWS\BCMSMMSG.exe [122880 2003-08-29] (Broadcom Corporation)
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [{412677f6-3e59-0ef7-9575-f3740b25f2fa}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe [341045 2015-02-12] ()
HKLM\...\Run: [{032b9fc7-cb60-5256-5d24-781a5037b22b}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe [376871 2015-02-17] ()
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\AVG2014 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [{412677f6-3e59-0ef7-9575-f3740b25f2fa}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe [341045 2015-02-12] ( ())
HKLM\...\Policies\Explorer\Run: [{032b9fc7-cb60-5256-5d24-781a5037b22b}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe [376871 2015-02-17] ( ())
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-18\...\Run: [MySpaceIM] => C:\Program Files\MySpace\IM\MySpaceIM.exe [6373376 2009-12-01] ()
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2014\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-583907252-2000478354-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-583907252-2000478354-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-12-20] (SuperAdBlocker.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @bittorrent.com/BitTorrentDNA -> C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin: @java.com/DTPlugin,version=10.9.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.9.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-05-09]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\40.0.2214.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\40.0.2214.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\40.0.2214.111\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (DNA Plug-in) - C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
CHR Plugin: (DivX Player Netscape Plugin) - C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
CHR Plugin: (DivX Web Player) - C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U9) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.90.5) - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Profile: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (YouTube) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-11-02]
CHR Extension: (Google Search) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-11-02]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-11-02]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2011-12-20] (SUPERAntiSpyware.com) [File not signed]
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3247120 2014-12-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [289328 2014-12-16] (AVG Technologies CZ, s.r.o.)
R2 LicCtrlService; C:\WINDOWS\runservice.exe [2560 2008-06-11] () [File not signed]
R2 RalinkRegistryWriter; C:\Program Files\Ralink\Common\RaRegistry.exe [185632 2009-12-15] (Ralink Technology, Corp.)
S4 RemoteAccess; C:\WINDOWS\system32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)
S3 SystemUpdate; C:\WINDOWS\FrameworkUpdate\Update.exe [278016 2015-02-10] () [File not signed]
S2 Update service; C:\Program Files\Popcorn Time\Updater.exe [179200 2014-10-05] (Company) [File not signed]
S4 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [23936 1997-12-22] (Adaptec)
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [121624 2014-06-30] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [191256 2014-07-21] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [147736 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [189720 2014-10-24] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [241944 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [98584 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [27416 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [197400 2014-10-20] (AVG Technologies CZ, s.r.o.)
R3 BCMModem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [1101696 2003-08-29] (Broadcom Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R3 HTTP; C:\WINDOWS\System32\Drivers\HTTP.sys [265728 2009-10-20] (Microsoft Corporation) [File not signed]
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R2 PfModNT; C:\WINDOWS\system32\drivers\PfModNT.sys [15840 2003-03-05] (Creative Technology Ltd.) [File not signed]
S3 QCMerced; C:\WINDOWS\System32\DRIVERS\LVCM.sys [472332 2003-06-26] (Logitech Inc.)
R3 rt2870; C:\WINDOWS\System32\DRIVERS\rt2870.sys [818976 2010-02-12] (Ralink Technology, Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-12-20] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-12-20] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 Scutum50; C:\WINDOWS\System32\Drivers\Scutum50.sys [19072 2009-04-21] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 USBCM; C:\WINDOWS\System32\DRIVERS\Sacm2A.sys [15429 2004-06-10] ( )
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [X]
S3 cpuz132; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr; No ImagePath
U5 WinRM; C:\WINDOWS\System32\svchost.exe [14336 2008-04-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 22:00 - 2015-02-19 22:01 - 00027591 _____ () C:\Documents and Settings\Owner\Desktop\Addition.txt
2015-02-19 21:54 - 2015-02-19 22:22 - 00016680 _____ () C:\Documents and Settings\Owner\Desktop\FRST.txt
2015-02-19 21:34 - 2015-02-19 21:34 - 01126400 _____ (Farbar) C:\Documents and Settings\Owner\Desktop\FRST.exe
2015-02-19 20:23 - 2015-02-19 20:23 - 00000589 _____ () C:\Documents and Settings\Owner\Desktop\JRT.txt
2015-02-19 19:33 - 2015-02-19 19:33 - 01388274 _____ (Thisisu) C:\Documents and Settings\Owner\Desktop\JRT.exe
2015-02-19 19:01 - 2015-02-19 19:02 - 00004128 _____ () C:\Documents and Settings\Owner\Desktop\AdwCleaner[S1].txt
2015-02-19 18:27 - 2015-02-19 18:26 - 02126848 _____ () C:\Documents and Settings\Owner\Desktop\adwcleaner_4.111.exe
2015-02-19 14:28 - 2015-02-19 14:29 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\Poker
2015-02-10 20:14 - 2015-02-10 20:14 - 00000480 ____H () C:\Documents and Settings\Owner\Application Data\麽鎒駓覜
2015-02-10 20:14 - 2015-02-10 20:14 - 00000000 ____D () C:\WINDOWS\FrameworkUpdate
2015-02-08 11:07 - 2015-02-19 22:17 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-08 11:06 - 2015-02-19 22:17 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-02-08 11:06 - 2015-02-19 22:15 - 00032174 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-08 11:06 - 2015-02-08 11:06 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log
2015-02-08 10:53 - 2015-02-19 22:19 - 00227518 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-08 10:29 - 2015-02-08 10:30 - 00027323 _____ () C:\Documents and Settings\Owner\My Documents\Addition.txt
2015-02-08 10:27 - 2015-02-08 10:30 - 00021502 _____ () C:\Documents and Settings\Owner\My Documents\FRST.txt
2015-02-08 10:27 - 2015-02-08 10:27 - 01124352 _____ (Farbar) C:\Documents and Settings\Owner\My Documents\FRST.exe
2015-02-07 10:54 - 2015-02-19 22:17 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{48C94F6B-5004-4FB7-8E0B-927FA86E578D}
2015-01-25 09:38 - 2015-02-09 14:45 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-25 09:36 - 2015-01-25 09:36 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-25 09:36 - 2015-01-25 09:36 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-25 09:36 - 2015-01-25 09:36 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-25 09:36 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-25 09:36 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 22:23 - 2009-05-09 14:16 - 00000422 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job
2015-02-19 22:22 - 2013-12-05 09:00 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\temp
2015-02-19 22:22 - 2013-09-14 21:18 - 00000000 ____D () C:\FRST
2015-02-19 22:18 - 2012-11-02 02:13 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-19 22:17 - 2014-04-04 16:52 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-19 22:17 - 2008-06-11 17:17 - 00002457 _____ () C:\WINDOWS\system32\mmf.sys
2015-02-19 22:17 - 2008-06-10 17:32 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-19 22:17 - 2003-07-16 15:53 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-19 22:15 - 2008-06-10 17:39 - 00000178 ___SH () C:\Documents and Settings\Owner\ntuser.ini
2015-02-19 22:02 - 2012-11-02 02:13 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-19 19:08 - 2008-06-10 13:15 - 00000281 _____ () C:\boot.ini
2015-02-19 19:08 - 2003-07-16 15:51 - 00000611 _____ () C:\WINDOWS\win.ini
2015-02-19 19:08 - 2003-07-16 15:47 - 00000227 _____ () C:\WINDOWS\system.ini
2015-02-19 19:02 - 2010-08-17 21:39 - 00000000 ____D () C:\Documents and Settings\Owner\Desktop\ANTIMALWARE FINDERS-REMOVERS
2015-02-19 18:54 - 2008-06-10 17:30 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-02-19 18:50 - 2014-06-20 10:55 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-02-19 18:48 - 2013-11-11 06:34 - 00000000 ____D () C:\AdwCleaner
2015-02-19 18:38 - 2010-05-25 19:28 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-15 05:28 - 2008-06-10 17:39 - 00000000 ____D () C:\Documents and Settings\Owner
2015-02-08 15:04 - 2014-04-04 16:52 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-02-08 05:49 - 2009-01-19 15:50 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2015-02-08 03:10 - 2014-06-20 12:05 - 00005604 _____ () C:\Documents and Settings\Owner\Desktop\avgrep.txt
2015-02-06 22:19 - 2008-06-11 11:20 - 00000000 ____D () C:\Documents and Settings\Owner\My Documents\AAA TEMP
2015-02-05 13:26 - 2008-06-11 12:03 - 00000000 ____D () C:\Program Files\PokerStars.NET
2015-02-04 11:20 - 2009-10-03 18:45 - 00000000 ____D () C:\Documents and Settings\Owner\Application Data\vlc
2015-02-04 11:13 - 2013-12-13 08:40 - 00003532 _____ () C:\drmHeader.bin
2015-01-28 18:12 - 2014-12-26 04:40 - 00032256 _____ () C:\Documents and Settings\Owner\Desktop\NBA FANTASY CHART.xlr
2015-01-26 14:56 - 2012-10-12 01:15 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-26 14:56 - 2012-04-04 04:06 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-25 10:10 - 2008-06-11 18:17 - 00000000 ____D () C:\Documents and Settings\Owner\My Documents\Out of the Park Developments
2015-01-25 09:57 - 2008-06-13 23:33 - 00000000 ____D () C:\WINDOWS\pss
2015-01-25 09:37 - 2008-07-23 14:34 - 00000000 ____D () C:\Documents and Settings\Owner\Application Data\Malwarebytes
2015-01-25 09:36 - 2008-07-23 14:33 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-01-22 04:09 - 2013-08-24 15:06 - 00000000 ____D () C:\WINDOWS\system32\MRT

==================== Files in the root of some directories =======

2015-02-10 20:14 - 2015-02-10 20:14 - 0000480 ____H () C:\Documents and Settings\Owner\Application Data\麽鎒駓覜
2010-03-04 15:37 - 2010-03-04 15:39 - 0012116 ____C () C:\Documents and Settings\Owner\Local Settings\Application Data\04lB
2011-11-26 12:23 - 2011-11-26 12:48 - 0016578 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\157850g1p046c522p184r5dtv4q8
2011-12-19 17:19 - 2011-12-19 17:25 - 0014210 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\5mwv4f68ye4yqy30247gfh2mk767pq2o2re24
2010-02-21 19:10 - 2010-02-21 20:46 - 0013424 ____C () C:\Documents and Settings\Owner\Local Settings\Application Data\rGu4hX2

Some content of TEMP:
====================
C:\Documents and Settings\Owner\Local Settings\temp\Quarantine.exe
C:\Documents and Settings\Owner\Local Settings\temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

------------------------------------------------------------------------------------------------------------------------

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 18-02-2015 01
Ran by Owner at 2015-02-19 22:24:32
Running from C:\Documents and Settings\Owner\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2014 (Disabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials (Disabled - Up to date) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.65 (HKLM\...\7-Zip) (Version:  - )
AAC Decoder (HKLM\...\{AEF9DC35ADDF4825B049ACBFD1C6EB37}) (Version: 7.1.0 - DivX, Inc.)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.0.3.13070 - Adobe Systems Inc.)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.296 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AnswerWorks 4.0 Runtime - English (HKLM\...\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}) (Version: 4.0.101 - Vantage Software Technologies)
Apple Software Update (HKLM\...\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}) (Version: 2.1.1.116 - Apple Inc.)
AutoUpdate (HKLM\...\{18D10072035C4515918F7E37EAFAACFC}) (Version: 1.1 - )
AVG 2014 (HKLM\...\AVG) (Version: 2014.0.4800 - AVG Technologies)
AVG 2014 (Version: 14.0.4257 - AVG Technologies) Hidden
AVG 2014 (Version: 14.0.4800 - AVG Technologies) Hidden
BCM V.92 56K Modem (HKLM\...\BCM V.92 56K Modem) (Version:  - )
BitTorrent (HKU\S-1-5-21-583907252-2000478354-839522115-1003\...\BitTorrent) (Version: 7.8.2.30182 - BitTorrent Inc.)
Broadcom 440x 10/100 Integrated Controller (HKLM\...\InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}) (Version: 3.29 - Broadcom)
Broadcom 440x 10/100 Integrated Controller (Version: 3.29 - Broadcom) Hidden
Cake Poker 2.0 (HKLM\...\Cake Poker 2.0) (Version: 2.0.1.3240 - Cake Poker N.V.)
CCleaner (remove only) (HKLM\...\CCleaner) (Version:  - )
DivX Codec (HKLM\...\{7B63B2922B174135AFC0E1377DD81EC2}) (Version: 6.8.5 - DivX, Inc.)
DivX Converter (HKLM\...\{13F3917B56CD4C25848BDC69916971BB}) (Version: 7.1.0 - DivX, Inc.)
DivX Converter (HKLM\...\{B13A7C41581B411290FBC0395694E2A9}) (Version: 7.1.0 - DivX, Inc.)
DivX Player (HKLM\...\{8ADFC4160D694100B5B8A22DE9DCABD9}) (Version: 7.2.0 - DivX, Inc.)
DivX Plus DirectShow Filters (HKLM\...\DivX Plus DirectShow Filters) (Version:  - DivX, Inc.)
DivX Version Checker (HKLM\...\{3FC7CBBC4C1E11DCA1A752EA55D89593}) (Version: 7.1.0.2 - DivX, Inc.)
DivX Web Player (HKLM\...\{B7050CBDB2504B34BC2A9CA0A692CC29}) (Version: 1.5.0 - DivX,Inc.)
DNA (HKU\S-1-5-21-583907252-2000478354-839522115-1003\...\BitTorrent DNA) (Version: 2.2.4 (16502) - BitTorrent Inc.)
Document eSort Components (HKLM\...\{5658CE44-2822-45C9-A5C0-F93AB4682BBF}) (Version: 3.1.1.74 - Intuit Inc.)
EmpirePoker (HKLM\...\EmpirePoker) (Version:  - EmpirePokerMaster)
Full Tilt Poker (HKLM\...\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}) (Version: 4.14.1.WIN.FullTilt.Real - Full Tilt Poker)
Google Chrome (HKLM\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
H.264 Decoder (HKLM\...\{A96E97134CA649888820BCDE5E300BBD}) (Version: 1.1.0 - DivX, Inc.)
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
InterVideo WinDVD (HKLM\...\InterVideo WinDVD) (Version:  - )
Intuit Entitlement Client (HKLM\...\{FA0092C2-C0FE-40DA-A79E-E4C0FCA129F9}) (Version: 1.0.0 - Intuit Inc.)
Intuit Entitlement Client v8 (HKLM\...\{4C5B3CFD-DF38-49E2-82D9-5A933F36242F}) (Version: 8.0.24 - Intuit Inc.)
Java 7 Update 9 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217009FF}) (Version: 7.0.90 - Oracle)
Junk Mail filter update (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Money 2004 (HKLM\...\{1D643CD7-4DD6-11D7-A4E0-000874180BB3}) (Version: 12.0.50 - Microsoft)
Microsoft Money 2004 System Pack (HKLM\...\{8C64E145-54BA-11D6-91B1-00500462BE80}) (Version: 12.0.80 - Microsoft)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (HKLM\...\{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}) (Version: 9.0.21022.218 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Word 2000 SR-1 (HKLM\...\{00170409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.3821 - Microsoft Corporation)
Microsoft Works 2001 Setup Launcher (HKLM\...\Works2001Setup) (Version:  - )
Microsoft Works 6.0 (HKLM\...\{F8D0829C-9C6F-11D3-8080-00C04FA329AA}) (Version: 06.00.1829 - Microsoft Corporation)
Microsoft Works Suite Add-in for Microsoft Word (HKLM\...\{5F629FE8-5B4C-4863-937A-AFC2961F7DD3}) (Version: 2.0.0.0000 - Microsoft Corporation)
MKV Splitter (HKLM\...\{AAC389499AEF40428987B3D30CFC76C9}) (Version: 1.0.1 - DivX, Inc.)
MXpie Patch for WinMX Network/WPNP 3.6.3.6 (HKU\S-1-5-21-583907252-2000478354-839522115-1003\...\MXpie Patch) (Version: 3.6.3.6 - )
MySpaceIM (HKLM\...\MySpaceIM) (Version: 1.0.823.0 - MySpace.com)
OneTouch Version 3.0 (HKLM\...\OneTouch Version 3.0) (Version: Version 3.0 - Visioneer Inc.)
Out of the Park Baseball 9 (HKLM\...\Out of the Park Baseball9) (Version: 9 - Out of the Park Developments)
PaperPort 7.02 (HKLM\...\PaperPort 7.02) (Version:  - )
PokerStars (HKLM\...\PokerStars) (Version:  - PokerStars)
PokerStars.net (HKLM\...\PokerStars.net) (Version:  - PokerStars.net)
Popcorn Time (HKLM\...\Popcorn Time_is1) (Version: Beta 4.3 - Popcorn Time)
ProSeries 2013 Shared Components  (HKLM\...\{27997608-50A8-466B-B534-743C7498B259}) (Version: 8.0.32 - Intuit Inc.)
ProSeries Basic Edition 2009 (HKLM\...\ProSeries Basic Edition 2009) (Version:  - )
ProSeries Basic Edition 2010 (HKLM\...\ProSeries Basic Edition 2010) (Version:  - )
ProSeries Basic Edition 2011 (HKLM\...\ProSeries Basic Edition 2011) (Version:  - )
ProSeries Basic Edition 2012 (HKLM\...\ProSeries Basic Edition 2012) (Version:  - )
ProSeries Basic Edition 2013 (HKLM\...\ProSeries Basic Edition 2013) (Version:  - Intuit Inc.)
Ralink RT2870 Wireless LAN Card (HKLM\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.7.0 - Ralink)
Scientific-Atlanta WebSTAR 2000 series Cable Modem (HKLM\...\WebSTAR DPC2100 Uninstall) (Version:  - )
Season Ticket Baseball 2003 (HKLM\...\Season Ticket Baseball 2003) (Version:  - )
Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden
Skype™ 6.11 (HKLM\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.12.01.5246 - Analog Devices)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 4.41.1000 - SUPERAntiSpyware.com)
Theorica Divx ;-) Codecs (remove only) (HKLM\...\Theorica Divx ;-) Codecs) (Version: 5.0 - )
TreeSize Free V3.0.1 (HKLM\...\TreeSize Free_is1) (Version: 3.0.1 - JAM Software)
VC80CRTRedist - 8.0.50727.762 (Version: 1.0.0 - DivX, Inc) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 1.0.2 (HKLM\...\VLC media player) (Version: 1.0.2 - VideoLAN Team)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live OneCare safety scanner (HKLM\...\Windows Live OneCare safety scanner) (Version:  - )
Windows Live Sync (HKLM\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
Winmx Community 1 (HKLM\...\Winmx Community 1) (Version:  - )
WinRAR 5.00 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
Works Suite OS Pack (Version: 1.0.0.0000 - Microsoft Corporation) Hidden
Works Synchronization (Version: 1.0.0.0000 - Your Company Name) Hidden
XP Codec Pack (HKLM\...\XP Codec Pack) (Version:  - )
Xvid 1.2.2 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi))
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version:  - Yahoo! Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-583907252-2000478354-839522115-1003_Classes\CLSID\{9289D506-08C3-47D1-8107-68E354BBFBA5}\InprocServer32 -> C:\Documents and Settings\All Users\Application Data\{48C94F6B-5004-4FB7-8E0B-927FA86E578D}\acledit.dll (America Online)

==================== Restore Points  =========================

ATTENTION: System Restore is disabled.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2003-07-16 15:29 - 2013-11-15 05:28 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) ==============

2008-06-11 17:17 - 2008-06-11 17:17 - 00002560 _____ () C:\WINDOWS\runservice.exe
2008-06-11 17:17 - 2008-06-11 17:17 - 00048640 _____ () C:\WINDOWS\mmfs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Classes\exefile: "%1" %* <===== ATTENTION!

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-583907252-2000478354-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 192.168.1.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini => C:\WINDOWS\pss\desktop.iniCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk => C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk => C:\WINDOWS\pss\Privoxy.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk => C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^Owner^Start Menu^Programs^Startup^6EA5A01DD.lnk => C:\WINDOWS\pss\6EA5A01DD.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ctfmon.lnk => C:\WINDOWS\pss\ctfmon.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Owner^Start Menu^Programs^Startup^desktop.ini => C:\WINDOWS\pss\desktop.iniStartup
MSCONFIG\startupfolder: ^defogger_reenable => C:\WINDOWS\pss\defogger_reenableCommon Startup
MSCONFIG\startupfolder: ^ntuser.dat => C:\WINDOWS\pss\ntuser.datCommon Startup
MSCONFIG\startupfolder: ^ntuser.dat.LOG => C:\WINDOWS\pss\ntuser.dat.LOGCommon Startup
MSCONFIG\startupfolder: ^ntuser.ini => C:\WINDOWS\pss\ntuser.iniCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AVG_UI => "C:\Program Files\AVG\AVG2014\avgui.exe" /TRAYONLY
MSCONFIG\startupreg: BitTorrent DNA => "C:\Program Files\DNA\btdna.exe"
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: Malwarebytes Anti-Malware (reboot) => "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
MSCONFIG\startupreg: Messenger (Yahoo!) => "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
MSCONFIG\startupreg: Microsoft Works Portfolio => C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
MSCONFIG\startupreg: Microsoft Works Update Detection => C:\Program Files\Microsoft Works\WkDetect.exe
MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: OneTouch Monitor => C:\PROGRA~1\VISION~1\ONETOU~2.EXE
MSCONFIG\startupreg: PPWebCap => C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: UserFaultCheck => %systemroot%\system32\dumprep 0 -u
MSCONFIG\startupreg: WorksFUD => C:\Program Files\Microsoft Works\wkfud.exe

==================== Accounts: =============================

Administrator (S-1-5-21-583907252-2000478354-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-583907252-2000478354-839522115-1004 - Limited - Enabled)
Guest (S-1-5-21-583907252-2000478354-839522115-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-583907252-2000478354-839522115-1000 - Limited - Disabled)
Owner (S-1-5-21-583907252-2000478354-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Owner
SUPPORT_388945a0 (S-1-5-21-583907252-2000478354-839522115-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Class Guid: {4D36E968-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel Corporation
Service: ialm
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Broadcom 440x 10/100 Integrated Controller
Description: Broadcom 440x 10/100 Integrated Controller
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom
Service: bcm4sbxp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/19/2015 10:12:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application FRST.exe, version 18.2.2015.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (02/18/2015 04:40:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module urlmon.dll, version 8.0.6001.23580, fault address 0x00004ffd.
Processing media-specific event for [svchost.exe!ws!]

Error: (02/10/2015 08:43:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [svchost.exe!ws!]

Error: (02/09/2015 02:36:05 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1036) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (02/09/2015 00:07:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application svchost.exe, version 5.1.2600.5512, faulting module urlmon.dll, version 8.0.6001.23580, fault address 0x00004ffd.
Processing media-specific event for [svchost.exe!ws!]

Error: (02/08/2015 00:09:19 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application mbam.exe, version 1.0.1.711, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (02/07/2015 01:03:30 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (02/06/2015 06:19:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mplayerc.exe, version 6.4.9.1, faulting module ir50_32.dll, version 5.2562.15.55, fault address 0x0000283f.
Processing media-specific event for [mplayerc.exe!ws!]

Error: (02/04/2015 11:07:41 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module ivivideo.ax, version 1.0.0.1, fault address 0x00013c96.
Processing media-specific event for [wmplayer.exe!ws!]

Error: (02/04/2015 10:51:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module ivivideo.ax, version 1.0.0.1, fault address 0x00013c96.
Processing media-specific event for [wmplayer.exe!ws!]

System errors:
=============
Error: (02/19/2015 10:17:38 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update service service failed to start due to the following error:
%%193

Error: (02/19/2015 09:59:10 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (02/19/2015 07:39:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update service service failed to start due to the following error:
%%193

Error: (02/19/2015 07:23:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Ralink Registry Writer service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/19/2015 07:16:30 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update service service failed to start due to the following error:
%%193

Error: (02/19/2015 06:53:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update service service failed to start due to the following error:
%%193

Error: (02/19/2015 05:00:13 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (02/19/2015 11:59:10 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (02/19/2015 06:59:02 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (02/19/2015 00:59:30 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

Microsoft Office Sessions:
=========================
Error: (02/19/2015 10:12:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: FRST.exe18.2.2015.1hungapp0.0.0.000000000

Error: (02/18/2015 04:40:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512urlmon.dll8.0.6001.2358000004ffd

Error: (02/10/2015 08:43:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.55120.0.0.000000000

Error: (02/09/2015 02:36:05 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost1036C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.

Error: (02/09/2015 00:07:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe5.1.2600.5512urlmon.dll8.0.6001.2358000004ffd

Error: (02/08/2015 00:09:19 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: mbam.exe1.0.1.711hungapp0.0.0.000000000

Error: (02/07/2015 01:03:30 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (02/06/2015 06:19:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: mplayerc.exe6.4.9.1ir50_32.dll5.2562.15.550000283f

Error: (02/04/2015 11:07:41 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: wmplayer.exe11.0.5721.5145ivivideo.ax1.0.0.100013c96

Error: (02/04/2015 10:51:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: wmplayer.exe11.0.5721.5145ivivideo.ax1.0.0.100013c96

==================== Memory info ===========================

Processor:  Intel® Pentium® 4 CPU 2.40GHz
Percentage of memory in use: 46%
Total physical RAM: 1022 MB
Available physical RAM: 549.82 MB
Total Pagefile: 2461.48 MB
Available Pagefile: 2033.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1928.56 MB

==================== Drives ================================

---------------------------------------------------------------------------------------------------------------------

 

Let me know what I should do next.  Thanks for the assistance.



#4 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:30 PM

Posted 20 February 2015 - 08:19 AM

Hi gwhiz9999


P2P - I see you have P2P software, (Winmx), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

You can find more about WinMx here.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

Uninstall the following programs, if present:

I suggest you uninstaal both of these, WinMx which I have mentioned, and Popcorn Time which is Adware and can result in unwanted adverts/banners.

Winmx Community
Popcorn Time


Also, remove any version of AVG except the latest version.

To remove them:

  • click on Start, Settings, Control Panel
  • double-click Add or Remove Programs (it may take time for the list to appear, so be patient)
  • scroll down the list and look for any of the above entries:
  • if they are present, click on the program name and then on Remove.

===================================================

Run Farbar Recovery Scan Tool

Open notepad (Start >All Programs > Accessories > Notepad). Please copy the entire contents of the code box below.


HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\AVG2014 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-583907252-2000478354-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-583907252-2000478354-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
S2 Update service; C:\Program Files\Popcorn Time\Updater.exe [179200 2014-10-05] (Company) [File not signed]
S4 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
U3 TlntSvr; No ImagePath
HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Classes\exefile: "%1" %* <===== ATTENTION!

NOTE: this script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post together with the
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply plus Fixlog.txt

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 20 February 2015 - 10:07 PM

The file svcxdcl32.exe is something that just turned up, as far as I recall.  Also, I am still getting processes popping up that I know can't be legitimate.  At the time I am typing this, there are 6 cmd.exe processes running, and four msiexec.exe processes.

 

I am told that the winmx program hasn't been used in a very long time, and that the popcorn time program never worked in the first place.  The latter was uninstalled/removed.  As far I can see, there is only one version of AVG on the computer.

 

Here are the logs you asked for:

 

RogueKiller V10.4.1.0 [Feb 19 2015] by Adlice Software
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Administrator]
Mode : Scan -- Date : 02/20/2015  19:35:10
 
¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] Runservice.exe(1964) -- C:\WINDOWS\runservice.exe[-] -> Killed [TermProc]
[Proc.Injected] svcxdcl32.exe(4088) -- C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.exe[-] -> Killed [TermProc]
 
¤¤¤ Registry : 24 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {412677f6-3e59-0ef7-9575-f3740b25f2fa} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {032b9fc7-cb60-5256-5d24-781a5037b22b} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe"  -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | Svc2dll : C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.exe  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {412677f6-3e59-0ef7-9575-f3740b25f2fa} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {032b9fc7-cb60-5256-5d24-781a5037b22b} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} | DhcpNameServer : 68.87.77.134 68.87.72.134  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} | DhcpNameServer : 68.87.77.134 68.87.72.134  -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} | DhcpNameServer : 68.87.77.134 68.87.72.134  -> Found
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\DD10A5AE6.cpp  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD800BB-75FRA0 +++++
--- User ---
[MBR] 1522866a6520d844a402c65c4ed8b097
[BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 76285 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-02-2015 01
Ran by Owner at 2015-02-20 18:42:34 Run:3
Running from C:\Documents and Settings\Owner\Desktop
Loaded Profiles: Owner (Available profiles: Owner & Administrator)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\AVG2014 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-583907252-2000478354-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-583907252-2000478354-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
S2 Update service; C:\Program Files\Popcorn Time\Updater.exe [179200 2014-10-05] (Company) [File not signed]
S4 gusvc; "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" [X]
U3 TlntSvr; No ImagePath
HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Classes\exefile: "%1" %* <===== ATTENTION!
*****************
 
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
"HKU\S-1-5-21-583907252-2000478354-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found. 
"HKLM\Software\MozillaPlugins\@java.com/JavaPlugin" => Key deleted successfully.
C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll not found.
c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll not found.
Update service => Service not found.
gusvc => Service deleted successfully.
TlntSvr => Service deleted successfully.
"HKU\S-1-5-21-583907252-2000478354-839522115-1003\Software\Classes\exefile" => Key deleted successfully.
 
==== End of Fixlog 18:42:37 ====


#6 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:30 PM

Posted 21 February 2015 - 05:11 AM

Run RogueKiller

Please do another scan with RogueKiller.

When it shows the results, under the “Processes” tab, check all the boxes next to these:

[Suspicious.Path] Runservice.exe(1964) -- C:\WINDOWS\runservice.exe[-] -> Killed [TermProc]
[Proc.Injected] svcxdcl32.exe(4088) -- C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.exe[-] -> Killed [TermProc]

Click on the “Registry” tab, make sure only these are checked:
 


[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {412677f6-3e59-0ef7-9575-f3740b25f2fa} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {032b9fc7-cb60-5256-5d24-781a5037b22b} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe"  -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | Svc2dll : C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.exe  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {412677f6-3e59-0ef7-9575-f3740b25f2fa} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe"  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {032b9fc7-cb60-5256-5d24-781a5037b22b} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe"  -> Found
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\DD10A5AE6.cpp  -> Found

then press the Delete button and post the log it produces.

===================================================

Download and run ComboFix

Download ComboFix from the following location:

Link

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, as they may otherwise interfere with our tools. See here  for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

    IftheCFrecconsisalreadyinstalled.jpg

 

  • Click on Yes, to continue scanning for malware.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

When finished, it will produce a log. Please include the ComboFix.txt in your next reply. It can be found at C:\ComboFix.txt

Please also remember to also include the Rogue Killer log.

Satchfan

 

 


Edited by satchfan, 21 February 2015 - 05:18 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 21 February 2015 - 06:21 PM

A few things...

 

On Rogue, the first two items (processes) were automatically killed by the program.  There were no boxes to check.  Also, the items you wanted checked in the registry list were already checked, and they were the only ones checked.  That is just for your information, in case it matters.

 

Most notable is that, despite the fact that I turned off AVG's real time protection, Combofix ended up hanging when it started deleting files.  It went through all of the stages, through 50, I believe, and did a little bit more, than after deleting 4-5 files, it stopped and did nothing for a VERY long time.  It clearly locked up.  I had no choice but to shut it down.  The file it had most recently deleted was something like "wmsys...(something)exe."  No log was produced.  I didn't know if I should try to run it again, or not.  I know that the people you are helping aren't supposed to run any scans unless told to do so, so I will wait to see what you instruct me to do.

 

The Rogue log is this:

 

RogueKiller V10.4.1.0 [Feb 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Owner [Administrator]
Mode : Delete -- Date : 02/21/2015  16:12:26

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] Runservice.exe(1440) -- C:\WINDOWS\runservice.exe[-] -> Killed [TermProc]
[Proc.Injected] svcxdcl32.exe(2876) -- C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 24 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {412677f6-3e59-0ef7-9575-f3740b25f2fa} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe" [-] -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | {032b9fc7-cb60-5256-5d24-781a5037b22b} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe" [-] -> Deleted
[Suspicious.Path] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run | Svc2dll : C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.exe [-] -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {412677f6-3e59-0ef7-9575-f3740b25f2fa} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe" [-] -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {032b9fc7-cb60-5256-5d24-781a5037b22b} : "C:\Documents and Settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe" [-] -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys) -> Not selected
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Not selected
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys) -> Not selected
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Not selected
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys) -> Not selected
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\LicCtrlService (C:\WINDOWS\runservice.exe) -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} | DhcpNameServer : 68.87.77.134 68.87.72.134  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} | DhcpNameServer : 68.87.77.134 68.87.72.134  -> Not selected
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{BD260EE0-2601-466D-A323-AF8A4076E468} | DhcpNameServer : 68.87.77.134 68.87.72.134  -> Not selected
[PUM.Desktop] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore | DisableSR : 1  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt\Parameters | ServiceDll : C:\DOCUME~1\ALLUSE~1\APPLIC~1\DD10A5AE6.cpp [x] -> Replaced (%systemroot%\system32\wbem\WMIsvc.dll)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD800BB-75FRA0 +++++
--- User ---
[MBR] 1522866a6520d844a402c65c4ed8b097
[BSP] f0531316a6163d16f4ba254ab3fe3bf4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 76285 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_02202015_193509.log - RKreport_SCN_02212015_142310.log - RKreport_SCN_02212015_151237.log

 

 

**************NOTE:  I just turned real time protection from AVG back on, and it immediately popped up a couple detections about "Trojan horse BackDoor.Generic18.BPUY"

 

Apparently it is the file "c:\documents and settings\all users\application data\{48c94f6b-5004-4fb7-8e0b-927fa86e578d}\acledit.dll"

 

It shows under both errors, with one bringing up c:\windows\explorer.exe, and the other c:\program files\internet explorer\iexplorer.exe.  I did not delete them or otherwise take any action.  AVG said that it blocked them, but wanted to know what I want to do about them, etc...

 

One more thing... do I need to shut off ALL aspects of AVG to run combofix, or just the basic real time protection?  What I mean is, do I need to disable not only the protection under "computer," but also under the "web browsing"..."identity"...and "emails" tabs?  Is that possibly why Combofix locked up?  It seemed to run fine, with no warnings or major lagging, until it started deleting files, like I mentioned.



#8 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:30 PM

Posted 22 February 2015 - 04:03 AM

Please try running ComboFix again in safe mode.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 22 February 2015 - 05:18 PM

It ran in safe mode, but I had to do it in "safe mode with networking," since "safe mode" being run resulted in me having a dead keyboard and mouse.  After it ran, it restarted the PC without my knowledge, in regular boot up.  It presented a "log.txt" file automatically.  It appears to be the exact same thing as the combofix.txt file.  Here it is:

 

ComboFix 15-02-16.01 - Owner 02/22/2015  14:56:05.5.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.788 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\kidrahb.dll
.
---- Previous Run -------
.
c:\documents and settings\Owner\Local Settings\Application Data\svcxdcl32.exe
c:\windows\FrameworkUpdate\Update.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\wmsysprx.prx
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SYSTEMUPDATE
-------\Service_SystemUpdate
-------\Legacy_SYSTEMUPDATE
.
.
(((((((((((((((((((((((((   Files Created from 2015-01-22 to 2015-02-22  )))))))))))))))))))))))))))))))
.
.
2015-02-21 00:20 . 2015-02-21 20:05 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-02-21 00:20 . 2015-02-21 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\RogueKiller
2015-02-16 17:20 . 2015-02-17 07:51 376871 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe
2015-02-11 01:14 . 2015-02-21 22:04 -------- d-----w- c:\windows\FrameworkUpdate
2015-02-08 12:48 . 2015-02-12 05:41 341045 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe
2015-02-07 15:54 . 2015-02-22 20:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\{48C94F6B-5004-4FB7-8E0B-927FA86E578D}
2015-01-25 14:38 . 2015-02-09 19:45 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-25 14:36 . 2015-01-25 14:36 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-01-25 14:36 . 2014-11-21 11:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-01-25 14:36 . 2014-11-21 11:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-26 19:56 . 2012-10-12 06:15 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-01-26 19:56 . 2012-04-04 09:06 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie8\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-20 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^6EA5A01DD.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\6EA5A01DD.lnk
backup=c:\windows\pss\6EA5A01DD.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ctfmon.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ctfmon.lnk
backup=c:\windows\pss\ctfmon.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\^defogger_reenable]
path=\defogger_reenable
backup=c:\windows\pss\defogger_reenableCommon Startup
.
[HKLM\~\startupfolder\^ntuser.dat]
path=\ntuser.dat
backup=c:\windows\pss\ntuser.datCommon Startup
.
[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=c:\windows\pss\ntuser.dat.LOGCommon Startup
.
[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=c:\windows\pss\ntuser.iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2014-12-19 16:50 1022152 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_UI]
2014-12-16 17:11 5188112 ----a-w- c:\program files\AVG\AVG2014\avgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-13 08:58 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 08:25 6595928 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 -c--a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
2010-08-12 00:05 43008 -c--a-w- c:\progra~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c--a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-09-14 13:32 5703920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 -c--a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)
"!SASCORE"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"wlidsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\WINMX\\WinMX.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\XP Codec Pack\\mpc\\mplayerc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2198:TCP"= 2198:TCP:Remote Assistance Local
"2856:TCP"= 2856:TCP:Remote Assistance Remote
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [5/13/2014 1:17 PM 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [5/13/2014 1:17 PM 241944]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [5/13/2014 1:04 PM 27416]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [5/13/2014 1:17 PM 121624]
R1 AVGIDSDriverl;AVGIDSDriverl;c:\windows\system32\drivers\avgidsdriverlx.sys [6/17/2014 3:17 PM 191256]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [5/13/2014 1:04 PM 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [5/13/2014 1:19 PM 189720]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [5/13/2014 1:17 PM 197400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [12/16/2014 12:15 PM 3247120]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [12/16/2014 12:09 PM 289328]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/11/2008 5:17 PM 2560]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [6/24/2011 12:06 PM 19072]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/23/2013 8:15 AM 172192]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-21 19:03 1084744 ----a-w- c:\program files\Google\Chrome\Application\40.0.2214.115\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 07:12]
.
2015-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 07:12]
.
2015-02-22 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-13 01:59]
.
2015-02-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-13 01:59]
.
2015-02-22 c:\windows\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: google.com
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\games
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-02-22 15:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5a,5d,47,e2,e7,f2,bf,7c,70,d7,e1,1f,4d,d8,fe,ef,85,dd,b9,a0,a3,05,85,
   e5,60,01,51,38,1d,47,48,5b,b4,14,b1,3e,97,cc,33,9d,08,9f,2b,aa,24,7d,d5,41,\
"??"=hex:4e,5b,94,3c,fd,7c,e9,4e,cd,39,69,eb,e3,76,76,ba
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
   d5,42,54,3b,7e,24,3e,19,f8
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
   5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
   d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,50,94,16,01,b2,17,1a,42
"2"=hex:cf,77,c8,3e,ea,da,16,30
"3"=hex:ab,2a,01,dd,d0,22,ed,bb,92,00,36,36,6a,b0,10,7a,e2,87,77,61,1d,db,95,
   e2,6e,10,d0,7b,03,22,d7,40,ef,3c,8e,68,cc,20,57,69,d1,a2,0e,b3,04,bb,cb,5f,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
   1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,29,7c,70,46,35,dc,d7,79
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
   f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:89,de,70,71,9a,fd,bb,cb,32,88,ce,34,de,0b,d0,29,3a,91,b2,9c,5c,0e,03,
   04,9f,91,a5,ea,4e,34,64,51,40,45,2e,4f,a9,23,7d,75,e6,ba,1f,f6,fe,ee,c1,35,\
"13"=hex:f8,81,17,ce,ee,0c,18,ba,80,4a,8a,4f,96,a0,a7,52,0a,93,b5,ac,8d,aa,e8,
   78
"14"=hex:4e,63,05,ff,92,a2,5b,c8
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:6c,8a,54,38,f2,af,a5,7a,46,2e,a7,ca,18,b6,ed,97
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:fe,43,41,a2,3b,bb,56,64,9d,53,09,d4,d6,3e,09,dc,85,0b,80,ce,45,90,d4,
   0d,0e,50,7e,78,19,0c,a5,4f,5b,3c,7e,c8,27,8a,35,a6,a7,b8,91,6d,11,06,e5,52,\
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\37539B6D352ECF5C006214859EC1AF0C]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,c8,c9,f6,99,f8,a7,b9,da
"2"=hex:76,4e,1c,cc,2e,81,b8,f3
"3"=hex:37,f4,55,b7,8a,39,f0,05,79,7b,33,d6,65,7d,31,38,ed,56,d8,f1,24,f4,39,
   23,f4,45,9b,fb,62,4c,5f,59,2d,16,7c,2e,59,1d,67,ef,1c,57,06,09,b1,0c,12,81,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
   1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,13,d6,a9,04,9e,fe,4b,b3,10,e4,eb,ef,c4,3c,01,7c,da,ad,aa,35,c5,9e,af,7d,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,f5,de,1e,04,6d,6b,1c,69
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
   f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:f3,45,c8,e1,1c,e2,5b,b1,22,12,e8,be,94,28,3f,4d,32,10,27,fe,4a,61,a4,
   12,35,dd,a7,7c,95,78,a5,12,ba,af,72,46,2c,9c,32,9c,04,66,01,85,ae,86,87,80,\
"13"=hex:52,af,1a,eb,3f,3a,6a,35,17,58,85,de,ee,db,0a,76,ba,a6,29,a5,38,09,8d,
   cd
"14"=hex:6c,3a,76,3b,92,16,dd,60
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:b1,f0,11,ed,b5,09,c2,be,c0,de,35,ad,10,f1,63,35
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:81,ea,e0,b9,43,59,b8,9a,d4,36,9d,a1,cd,72,78,71,05,1d,22,de,c4,09,cc,
   a9,90,da,c3,a3,bc,52,7c,f0,f9,68,6f,b1,fe,16,18,6e,ac,0a,a4,77,13,d4,c0,9a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\WININET.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ralink\Common\RaRegistry.exe
c:\windows\BCMSMMSG.exe
.
**************************************************************************
.
Completion time: 2015-02-22  15:21:44 - machine was rebooted
ComboFix-quarantined-files.txt  2015-02-22 20:21
ComboFix2.txt  2013-12-05 14:00
ComboFix3.txt  2013-11-15 10:32
ComboFix4.txt  2010-08-17 10:16
.
Pre-Run: 3,316,576,256 bytes free
Post-Run: 3,305,164,800 bytes free
.
- - End Of File - - DDA3E3914A6D954E831D63EAAE097557
8F558EB6672622401DA993E1E865C861
---------------------------------------------------------------------------------------------------

I am still getting weird things running in the processes... cmd.exe, msdtc.exe, ctfmon.exe, and some others that appear to be clones of various things.  Plus, something is still almost always hogging the usage percentage, often explorer.exe, but sometimes other things.



#10 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:30 PM

Posted 22 February 2015 - 07:03 PM

I’d like you to run another scan to help me look at other possibilities because I think the issue may be a bit more of a problem than I thought initially.


Run TDSSKiller

Please download TDSSKiller.zip

  • extract it to your desktop
  • double click TDSSKiller.exe
  • press Start Scan


    only if Malicious objects are found then ensure Cure is selected -  Note: If Cure is not available, please choose Skip instead : do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.
     

  • click Continue > Reboot now
  • copy and paste the log in your next reply
  • a copy of the log will be saved automatically to the root of the drive (typically C:\) called TDSSKiller_*** (*** denotes version & date)

Additional information:

If you get the warning about a file “UnsignedFile.Multi.Generic" or "LockedFile.Multi.Generic", please choose
Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 TDSS File System - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue and then reboot to finish the cleaning process.

Remember, if Cure is not available, choose Skip instead; do not choose “Delete” unless instructed.

Please post the TDSSKiller log in your next reply.

Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 22 February 2015 - 07:30 PM

I ran the scan, and it found no threats, nor was any log produced.



#12 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 22 February 2015 - 07:33 PM

I don't know if it matters, but AVG's live protection was running.  It is continuously popping up detections that seem to all originate from the same source, but with it showing up in a bunch of different .exe files, which seem to match the things that keep popping up in the process list on Task Manager.



#13 satchfan

satchfan

  • Malware Response Team
  • 2,641 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:09:30 PM

Posted 23 February 2015 - 10:39 AM

We'll sort a few things from ComboFix and then I need a couple more scans.

 

Open ComboFix

Please do the following:

  • close any open browsers.
  • close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
  • open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\documents and settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}
c:\documents and settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}
c:\documents and settings\All Users\Application Data\{48C94F6B-5004-4FB7-8E0B-927FA86E578D}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\WINMX\\WinMX.exe"=-

Save this as "CFScript.txt", and as  Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt.  Post the contents of Combofix.txt in your next reply.

================================================

Submit a file to VirusTotal

Go to VirusTotal and submit this file for analysis:

c:\\Program Files\\XP Codec Pack\\mpc\\mplayerc.exe
 

  • click on Browse
  • click on the arrow and choose Local Disc (C:)

    ChooseLocaldiscC.jpg

     
  • below, double-click on Program Files
  • double-click on the XP Codec Pack folder and then mpc
  • locate the file mplayerc.exe click on it and then on Open
  • click on Send File
  • if you get a message saying File has already been analyzed, click Reanalyze file now.

You will get a report back; post the report into this thread for me to see.

================================================

Run Malwarebytes’ Anti-Malware

I noticed that you had MBAM on your system: if you no longer have it, you can download it from here:

  • start Malwarebytes-Anti-Malware and update it, (“Update” tab}
  • once it is updated, click on “Scan” tab, select Threat Scan, then click Scan.
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with the next post:

ComboFix.txt
VirusTotal result
Mbam.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 24 February 2015 - 04:15 AM

I don't know what MalwareBytes is going to do after I run it (it may cause a restart), so I am going to post the Combofix log first, and I will give you what the "virustotal" page has.  Virustotal didn't produce a log, per se, but there is a tab that says "Behavioral Information" and under that it says "consensed report".  I have to assume that is what you wanted.  FYI... it turned up 0/57 "detection ratio," in case that is important.  I will run MalwareBytes right after posting this and then post whatever that gives me in a separate message.  Thanks for your help.

-------------------------------------

ComboFix 15-02-16.01 - Owner 02/24/2015   3:34.6.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.622 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\{48C94F6B-5004-4FB7-8E0B-927FA86E578D}
c:\documents and settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}
c:\documents and settings\All Users\Application Data\Microsoft\{032b9fc7-cb60-5256-5d24-781a5037b22b}\{032b9fc7-cb60-5256-5d24-781a5037b22b}.exe
c:\documents and settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}
c:\documents and settings\All Users\Application Data\Microsoft\{412677f6-3e59-0ef7-9575-f3740b25f2fa}\{412677f6-3e59-0ef7-9575-f3740b25f2fa}.exe
.
.
(((((((((((((((((((((((((   Files Created from 2015-01-24 to 2015-02-24  )))))))))))))))))))))))))))))))
.
.
2015-02-21 00:20 . 2015-02-21 20:05 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-02-21 00:20 . 2015-02-21 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\RogueKiller
2015-02-11 01:14 . 2015-02-21 22:04 -------- d-----w- c:\windows\FrameworkUpdate
2015-01-25 14:38 . 2015-02-09 19:45 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-25 14:36 . 2015-01-25 14:36 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-01-25 14:36 . 2014-11-21 11:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-01-25 14:36 . 2014-11-21 11:14 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-26 19:56 . 2012-10-12 06:15 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-01-26 19:56 . 2012-04-04 09:06 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie8\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-20 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2014\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk
backup=c:\windows\pss\Privoxy.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^6EA5A01DD.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\6EA5A01DD.lnk
backup=c:\windows\pss\6EA5A01DD.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ctfmon.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\ctfmon.lnk
backup=c:\windows\pss\ctfmon.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\^defogger_reenable]
path=\defogger_reenable
backup=c:\windows\pss\defogger_reenableCommon Startup
.
[HKLM\~\startupfolder\^ntuser.dat]
path=\ntuser.dat
backup=c:\windows\pss\ntuser.datCommon Startup
.
[HKLM\~\startupfolder\^ntuser.dat.LOG]
path=\ntuser.dat.LOG
backup=c:\windows\pss\ntuser.dat.LOGCommon Startup
.
[HKLM\~\startupfolder\^ntuser.ini]
path=\ntuser.ini
backup=c:\windows\pss\ntuser.iniCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2014-12-19 16:50 1022152 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_UI]
2014-12-16 17:11 5188112 ----a-w- c:\program files\AVG\AVG2014\avgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-13 08:58 323392 ----a-w- c:\program files\DNA\btdna.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-05-25 08:25 6595928 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-08-08 20:00 311350 -c--a-w- c:\program files\Microsoft Works\wkssb.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-08-08 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPWebCap]
2010-08-12 00:05 43008 -c--a-w- c:\progra~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 -c--a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 13:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2013-09-14 13:32 5703920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-08-08 20:00 24576 -c--a-w- c:\program files\Microsoft Works\wkfud.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"!SASCORE"=2 (0x2)
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"wlidsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\XP Codec Pack\\mpc\\mplayerc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2014\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2198:TCP"= 2198:TCP:Remote Assistance Local
"2856:TCP"= 2856:TCP:Remote Assistance Remote
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [5/13/2014 1:17 PM 147736]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [5/13/2014 1:17 PM 241944]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [5/13/2014 1:04 PM 27416]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [5/13/2014 1:17 PM 121624]
R1 AVGIDSDriverl;AVGIDSDriverl;c:\windows\system32\drivers\avgidsdriverlx.sys [6/17/2014 3:17 PM 191256]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [5/13/2014 1:04 PM 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [5/13/2014 1:19 PM 189720]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [5/13/2014 1:17 PM 197400]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2014\avgidsagent.exe [12/16/2014 12:15 PM 3247120]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2014\avgwdsvc.exe [12/16/2014 12:09 PM 289328]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [6/24/2011 12:06 PM 19072]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [6/11/2008 5:17 PM 2560]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/23/2013 8:15 AM 172192]
S4 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-21 19:03 1084744 ----a-w- c:\program files\Google\Chrome\Application\40.0.2214.115\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 07:12]
.
2015-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-11-02 07:12]
.
2015-02-24 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-13 01:59]
.
2015-02-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-13 01:59]
.
2015-02-24 c:\windows\Tasks\User_Feed_Synchronization-{39CFE49B-3195-48FA-A891-36E86B83D597}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: google.com
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\games
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-02-24 03:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-583907252-2000478354-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5a,5d,47,e2,e7,f2,bf,7c,70,d7,e1,1f,4d,d8,fe,ef,85,dd,b9,a0,a3,05,85,
   e5,60,01,51,38,1d,47,48,5b,b4,14,b1,3e,97,cc,33,9d,08,9f,2b,aa,24,7d,d5,41,\
"??"=hex:4e,5b,94,3c,fd,7c,e9,4e,cd,39,69,eb,e3,76,76,ba
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
   d5,42,54,3b,7e,24,3e,19,f8
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
   5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
   d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\3323E31CCF524E1933A08EFC0405BBBB]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,50,94,16,01,b2,17,1a,42
"2"=hex:cf,77,c8,3e,ea,da,16,30
"3"=hex:ab,2a,01,dd,d0,22,ed,bb,92,00,36,36,6a,b0,10,7a,e2,87,77,61,1d,db,95,
   e2,6e,10,d0,7b,03,22,d7,40,ef,3c,8e,68,cc,20,57,69,d1,a2,0e,b3,04,bb,cb,5f,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
   1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,62,93,57,0b,21,63,41,55,32,b5,f6,08,b8,5e,2d,e4,ec,af,ae,86,59,ce,53,bb,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,29,7c,70,46,35,dc,d7,79
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
   f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:89,de,70,71,9a,fd,bb,cb,32,88,ce,34,de,0b,d0,29,3a,91,b2,9c,5c,0e,03,
   04,9f,91,a5,ea,4e,34,64,51,40,45,2e,4f,a9,23,7d,75,e6,ba,1f,f6,fe,ee,c1,35,\
"13"=hex:f8,81,17,ce,ee,0c,18,ba,80,4a,8a,4f,96,a0,a7,52,0a,93,b5,ac,8d,aa,e8,
   78
"14"=hex:4e,63,05,ff,92,a2,5b,c8
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:6c,8a,54,38,f2,af,a5,7a,46,2e,a7,ca,18,b6,ed,97
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:fe,43,41,a2,3b,bb,56,64,9d,53,09,d4,d6,3e,09,dc,85,0b,80,ce,45,90,d4,
   0d,0e,50,7e,78,19,0c,a5,4f,5b,3c,7e,c8,27,8a,35,a6,a7,b8,91,6d,11,06,e5,52,\
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\37539B6D352ECF5C006214859EC1AF0C]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,c8,c9,f6,99,f8,a7,b9,da
"2"=hex:76,4e,1c,cc,2e,81,b8,f3
"3"=hex:37,f4,55,b7,8a,39,f0,05,79,7b,33,d6,65,7d,31,38,ed,56,d8,f1,24,f4,39,
   23,f4,45,9b,fb,62,4c,5f,59,2d,16,7c,2e,59,1d,67,ef,1c,57,06,09,b1,0c,12,81,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
   1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,13,d6,a9,04,9e,fe,4b,b3,10,e4,eb,ef,c4,3c,01,7c,da,ad,aa,35,c5,9e,af,7d,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
   b0,f5,de,1e,04,6d,6b,1c,69
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
   f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:f3,45,c8,e1,1c,e2,5b,b1,22,12,e8,be,94,28,3f,4d,32,10,27,fe,4a,61,a4,
   12,35,dd,a7,7c,95,78,a5,12,ba,af,72,46,2c,9c,32,9c,04,66,01,85,ae,86,87,80,\
"13"=hex:52,af,1a,eb,3f,3a,6a,35,17,58,85,de,ee,db,0a,76,ba,a6,29,a5,38,09,8d,
   cd
"14"=hex:6c,3a,76,3b,92,16,dd,60
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:b1,f0,11,ed,b5,09,c2,be,c0,de,35,ad,10,f1,63,35
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:81,ea,e0,b9,43,59,b8,9a,d4,36,9d,a1,cd,72,78,71,05,1d,22,de,c4,09,cc,
   a9,90,da,c3,a3,bc,52,7c,f0,f9,68,6f,b1,fe,16,18,6e,ac,0a,a4,77,13,d4,c0,9a,\
.
Completion time: 2015-02-24  03:53:15
ComboFix-quarantined-files.txt  2015-02-24 08:53
ComboFix2.txt  2015-02-22 20:22
ComboFix3.txt  2013-12-05 14:00
ComboFix4.txt  2013-11-15 10:32
ComboFix5.txt  2015-02-24 08:31
.
Pre-Run: 2,558,320,640 bytes free
Post-Run: 3,103,395,840 bytes free
.
- - End Of File - - 134BA94B934002F853CD7113427030BE
8F558EB6672622401DA993E1E865C861
--------------------------

(virustotal.com report)

 

Condensed report! The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.

Opened files

C:\38f6e62ca84f698ec887127fc9c324ef5d699ea81e7c12c7cdaaaf3d332cac0a (successful)
\\.\PIPE\lsarpc (successful)
C:\WINDOWS\system32\winsock.dll (successful)
C:\WINDOWS\system32\drwtsn32.exe (successful)
C:\WINDOWS\system32\netmsg.dll (successful)

Read files

C:\WINDOWS\system32\winsock.dll (successful)

Deleted files

ini (failed)

Created processes

C:\WINDOWS\system32\drwtsn32 -p 1044 -e 252 -g (successful)

Created mutexes

MediaPlayerClassicW (successful)

Opened mutexes

ShimCacheMutex (successful)

Hooking activity

TYPE: WH_MSGFILTER
METHOD: SetWindowsHook (successful)
TYPE: WH_CBT
METHOD: SetWindowsHook (successful)

Runtime DLLs

uxtheme.dll (successful)
c:\38f6e62ca84f698ec887127fc9c324ef5d699ea81e7c12c7cdaaaf3d332cac0aenu.dll (failed)
c:\38f6e62ca84f698ec887127fc9c324ef5d699ea81e7c12c7cdaaaf3d332cac0aloc.dll (failed)
comctl32.dll (successful)
rpcrt4.dll (successful)
shlwapi.dll (successful)
version.dll (successful)
shell32.dll (successful)
advapi32.dll (successful)
ntdll.dll (successful)
kernel32.dll (successful)
Show all

Additional details

The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.

Edited by gwhiz9999, 24 February 2015 - 04:19 AM.


#15 gwhiz9999

gwhiz9999
  • Topic Starter

  • Members
  • 108 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 24 February 2015 - 04:57 AM

Here is the MBAM log... it found one item and I quarantined it.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/24/2015
Scan Time: 4:21:50: AM
Logfile: MBAM LOG 2-24  455 AM.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.24.02
Rootkit Database: v2015.02.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358236
Time Elapsed: 30 min, 9 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Agent, C:\Documents and Settings\Owner\Local Settings\Application Data\svcxdcl32.dat, Quarantined, [d96965bdcdbde05661fd378eac576997],

Physical Sectors: 0
(No malicious items detected)

(end)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users